William Morder wrote:

> 
> 
> On Saturday 28 April 2018 23:33:39 deloptes wrote:
>> William Morder wrote:
>> > So far it's the best option for private, secure email. You'll have to
>> > do some reading about it (and compare with other email services) to
>> > know why. Either you want end-to-end encryption, and other
>> > privacy/security features, or you don't (yet) care that much.
>> >
>> > My only other option seems to be to roll my own (that is, host my own
>> > email server on my own machine). I know of several people who do that
>> > (such as Richard Stallman, if I recall), but it's a pain in the behind,
>> > and a lot of work just to host your own email accounts with your own
>> > domain, etc.
>> >
>> > I will try to make some enquiries about what is involved, if anybody
>> > else really wants to know. So far, I've just been doing a lot of
>> > reading, and it seems a little too much trouble. In lieu of that kind
>> > of hassle, then, there is ProtonMail.
>>
>> You are welcome to use the hosting service of a friend or so. If you
>> don't have such, we have one here, just let me know. I pay for 5 domains
>> 140/y.
> 
> Thanks, but no money to spend at present.
> 
>> What I do not understand in the whole picture is how you get "encryption
>> end to end" - it means the other end must also be encrypted. So what is
>> the difference between this ProtonMail and using normal GnuPG.
>>
> 
> I think the problem here (and in another email you answer to somebody
> else, dep, I think) is the conflation of two ideas: 1. end-to-end
> encryption (which you're right, Kmail offers, but you have to do some work
> yourself, whereas Proton is encrypted by default); and 2. a secure email
> service where all emails are encrypted, and content or contact information
> cannot be read even by the admins. And it is much better to download
> emails to my own computer, rather than to leave them on the server where
> they could be read by who knows?
> 

How is it encrypting by default, when it does not have access to your
private key? You always provide password to use the private key. IF it is
not the case, it is not secure - so I guess you somehow misunderstand what
ProtonMail is (not that I understand properly what it is). In theory it is
not possible to have encryption by default without providing the passphrase
for the private key - all of this is supported in kmail - I can tell kmail
to always encrypt for specific recipient(s).

> Gmail, for example, can be used with Kmail, and properly encrypted; but if
> any emails are left on the server, all data is gathered and reused by
> Google, as I have discovered myself due to some targeted ads - which were
> obviously related to recent emails that I had received.
> 
> Our querent here, dep, as a journalist, would like to keep his sources and
> contacts confidential. And while I am not a journalist as such, I am
> engaged in research and writing (mostly history, anthropology, etc.),
> which, in the wrong hands, might be twisted and misused to make my work
> appear to be something it is not.
> 

Did you try OTR? AFAIK it is the one that journalists use and I think OTR is
also supported in Kopete, but there are also other tools. You basically
don't communicate things via mail except when to meet someone and where -
that's it.

> Lavabit used to offer a similar service, and got shut down. ProtonMail,
> because they are located in Switzerland, promise (or hope) not to succumb
> to pressure to snoop on users, or to create backdoors, etc.
> 

Yes I think a friend was looking into it because it is in Switzerland. But
this has nothing to do with the way how encryption works. So I think you
have to distinguish between location of mail server and actual encryption.

> I have no clue if they are as good as they promise, but my mode of
> operation is first to do a little research, then usually to try them out,
> and find out by experience. Until I get a 32-bit bridge package and a free
> account, ProtonMail is out for me, but I'll be watching what others have
> to say.
> 
> Someday, we can only hope, secure, private emails will be the norm, rather
> than the exceptions.
> 

I follow GnuPGP since I uplifted kpgp to gnupg2 last year and there are
discussions in making keys distribution more accessbile. In fact they did
change few things regarding sks lately and it is much easier to find the
public keys of some one to import and encrypt.
Finally you have to have your servers under your control - anything else is
not likely to be secure enough - even in Switzerland, although it is much
better than somewhere else, it does not guarantee much.

To sum up - you have few additional steps when using TDEs kmail+kpgp, but it
is for free.